Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, so any user who authenticates via this path is logged in without MFA enforcement. This omission means an attacker who gains control of a single account credential can log in to any account that uses the social‑login binding feature, thereby compromising confidentiality and potentially heightened privileges.

Casdoor releases 2.362.0 and earlier are affected. The flaw exists in the social‑login binding feature and any deployment that enables this feature while using those versions.

Based on the description, it is inferred that the likely attack vector is the social‑login binding endpoint, which can be triggered remotely through the social authentication process and typically requires the user to complete the binding flow, often entailing user interaction or social engineering. The CVSS score is 5.3 and the EPSS score is < 1%, but bypassing MFA constitutes a severe security risk because it can lead to full account takeover or compromise of privileged accounts. No public exploitation is recorded, and the vulnerability is not listed in CISA’s KEV catalog, yet the potential impact warrants immediate remedial action.